On 1/25/21 5:25 AM, Todd Herr wrote:
On Sun, Jan 24, 2021 at 9:53 PM Michael Thomas <[email protected]
<mailto:[email protected]>> wrote:
On 1/24/21 6:29 PM, John R. Levine wrote:
> I realized why the arguments about whether to require
authentication
> on reports are pointless.
>
A blatant assertion. The onus of proof is with people who say we
should
accept information from unknown sources. Extraordinary claims require
extraordinary evidence. I have been doing security related stuff for
long enough to know that being humble in the face of adversaries
is the
most prudent course. State actors can get involved when they
figure they
can game things to their advantage. To be dismissive is complete
hubris.
I've spent several days thinking about these tickets, and for the life
of me I can't see what the payoff might be for someone to forge a
DMARC report.
I suppose nominally there's a denial of service risk, where a bad
actor could flood a rua or ruf mailbox with forged reports or just
email in general, but that's going to exist whether or not the
"reports" are DKIM-signed.
The main thing I've learned over the years of dealing with security is
to not underestimate what a motivated attacker can do. Your imagination
is not the same as their imagination. Closing #98 in particular is
absolutely ridiculous: the report should already have a DKIM signature
or SPF so it's just a matter of making sure its valid. Why would you
*not* want to insure that? The amount of justification for *not* having
the receiver authenticate it is a mountain. The amount of effort to
authenticate it is trivial for mail. Levine's dismissal of security
concerns because he has anecdotal "evidence" from a backwater domain
carries no weight at all.
Mike
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
